Vulnerability Discussion

Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Amazon Linux cryptographically signs all software packages, which includes updates, with a GPG key to Verify they are valid.

Check

Verify Amazon Linux 2023 package-signing keys are installed on the system and verify their fingerprints match vendor values.

Note: For Amazon Linux 2023 software packages, AWS uses GPG keys defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023" by default.

List Amazon Linux GPG keys installed on the system:

$ sudo rpm -q gpg-pubkey --qf "%{NAME}-%{VERSION}-%{RELEASE} %{SUMMARY}\n"
gpg-pubkey-d832c631-6515c85e Amazon Linux <amazon-linux@amazon.com> public key

If there is no Amazon Linux GPG key installed, this is a finding.

Extract the fingerprint from the key with this command:

$ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023
pub rsa4096/D832C631 2022-12-08 [SC]
Key fingerprint = B21C 50FA 44A9 9720 EAA7 2F7F E951 904A D832 C631
uid Amazon Linux <amazon-linux@amazon.com>

Compare the Key fingerprint with the key fingerprint from Amazon Documentation and instructions at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-keys.html

If key fingerprints do not match, or the key file is missing, this is a finding.

Fix

Configure Amazon Linux 2023 to have the public key for verifying RPM packages to be installed with the "system-release" package.

Install the system-release installation with the following command:
$ sudo dnf install -y system-release

Ensure cryptographic verification of software packages is enabled by editing /etc/dnf/dnf.conf and under '[main]' in the configuration file add:

gpgcheck=1